APPLICATION OF 



BENJAMIN ARAZI 



FOR LETTERS PATENT OF THE UNITED STATES 



METHODS AND SYSTEMS FOR EFFICIENT CHAINED CERTIFICATION 



James J. DeCarlo 

Registration No. 36,120 

Attorney for Applicant 

STROOCK & STROOCK & LAVAN LLP 

180 Maiden Lane 

New York, New York 10038 

(212) 806-5400 



Atty. Docket No.: 1 1 1 671/0006 



1095753vl 



1 



METHODS AND SYSTEMS FOR EFFICIENT CHAINED CERTIFICATION 

Field of The Invention 

The present invention relates to systems and methods for efficiently chaining a 
5 certification in a PKI (Public Key Infrastructure), from a Certifying Authority to end users, using 
operations over elliptic curves and modular exponentiations over finite fields or groups. 

Background of the Invention 

The validity of public key cryptographic applications is based on the assumption that the 
10 public key Yi submitted by a user, termed Useri, is valid. That is, Yi is assumed to be 
undeniably associated with the identification details, termed IDi, of Useri. Verifying the validity 
of Yi is commonly done, by the recipient, by referring to a certificate, which is submitted by 
Useri together with Yi and IDi. 

The certificate typically consists of the signature of a CA (Certifying Authority) on the 
15 association between Yi and IDi. In order to generate a certificate, the CA uses a private key, 
according to the concept of public key cryptography. 

Upon receiving Yi and IDi and the certificate, the recipient verifies the correct association 
between Yi and IDi by referring to the certificate and effecting a signature verification procedure, 
using the public key of the CA. 
20 When using digital signature procedures based on the discrete logarithm problem, the 

signature verification procedure is based on effecting two modular exponentiation operations, as 
is generally known to persons skilled in the art. 
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In a 'chained certification' , a Useri attests the association between the public key and the 
identification details of another user, termed User(i+1). User(i+1) attests the association between 
the public key and the identification details of User(i+2), etc. (The index i refers to the 
hierarchical level, in a certification chain, of a user, with respect to the CA, who acts as UserO.) 
5 Using customary certification approaches, Useri, starting with the CA who acts as UserO, 

signs the association between the public key and the identification details of User(i+1) by 
generating an explicit signature, generating the certificate Cert(i+1). Using signature methods 
which are based on the discrete logarithm problem, a certificate Certi is a pair {ci,Bi}, where ci is 
a scalar and Bi is a group-element over which the discrete logarithm problem applies. 

10 To verify the correct association between the public key of User(i+1) and identification 

details of User(i+1), a verifier needs to know the public keys and the identification details of all 
users from Userl to User(i+1). The verifier further needs to know the public key of the CA (as 
was said, the CA acts as UserO) and all certificates from Certl to Cert(i+1). Based on these 
values, the verifier effects i+1 signature verification procedures, where each such signature 

15 verification requires two modular exponentiations. Altogether, the verifier performs 2(i+l) 
exponentiation operations. 

The art has so far failed to provide means by which chained certificate verification can be 
effectively implemented by saving mathematical operations, permitting to use less computational 
operations in effecting certification verification. 

20 It is therefore an object of the present invention to provide a method by which chained 

certificate verification can be carried out with high efficiency. 
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Other objects of the invention will become apparent as the description proceeds. 

SUMMARY OF THE INVENTION 

The invention relates to a method for effecting a chained key-issuing process over a finite 
5 group of points in which the discrete logarithm problem applies, wherein an issuing user (Useri), 
who possesses an issuing user public value (Ui) and an issuing user private key (xi), provides to 
a successor user (User(i+i)) a successor user public value (U(i+i)) and a successor user private key 
(x(i+i)), and where the issuing user, except for a Certifying Authority (CA), was a successor user 
in a preceding step in the chained key-issuing process, and where the Certifying Authority acts as 
10 the first issuing user in the chained key-issuing process. The method comprises the steps of: 

(a) permitting the Certifying Authority to select a generating group-point (G) whose 
exponentiations to various powers generate various group-points and a converting mathematical 
operation (H) which converts several input values into a scalar; 

(b) permitting the Certifying Authority to posses a Certifying Authority private key (xo); 

1 5 (c) permitting the Certifying Authority to posses a Certifying Authority public value (Uo), 

obtained by exponentiating the generating group-point to the power of the Certifying Authority 
private key (Uo = xo*G); 

(d) permitting the issuing user (Useri) to possess the generating group-point (G) and the 
converting mathematical operation (H) and the identification details (ID(i+l)) of the successor 

20 user; 

1095753vl 



4 

(e) permitting the issuing user (Useri) to possess an issuing user private key (xi), where, 
except for the case in which the issuing user is the Certifying Authority, the issuing user private 
key was provided to the issuing user at a preceding stage in the chained key-issuing process (in 
which Useri acted as a successor user in respect to an issuing User(i-i)); 
5 (f) permitting the issuing user (Useri) to calculate the successor user public value (U(i+1)) 

and the successor user private key (x(B-i)) wherein: 

a successor user random value (k(i+i)) is generated and the successor user public value 
(U(i+i)) is calculated by exponentiating the generating group-point to the power of the successor 
user random value (U(i+i) = k(i+i)*G); 
10 a successor user representing value (H(ID(i+i),U(i+i))) is calculated by operating with the 

converting mathematical operation on the successor user identification details (ID(i+i)) and the 
successor user public value (U(i+i)); 

the successor user private key (x(i+i)) is calculated by multiplying the successor user 
representing value (H(ID(H-i),U(i+l))) by the successor user random value (k(i+i)) and adding the 
15 issuing user private key (xi) to the product obtained by a multiplication (x(i+l) = 
H(ID(i+i),U(i+i))*k(i+i) + xi) and reducing the result modulo the order of said generating group- 
point; and 

(g) permitting said issuing the (Useri) to submit the successor user public value (U(i+i)) 
and the successor user private key (x(i+i)) to the successor user (User(i+i)). 
20 According to a preferred embodiment of the invention, there is provided a method where 

the issuing user (Useri) does not know the successor user private key (x(i+i)), the above-described 
method further comprising the steps of: 
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(i) permitting the successor user (User(i+i)) to generate a first random value (m(i+i)) and 
calculate a first intermediate group-point (m(i+i)*G) by exponentiating the generating group- 
point to the power of the first random value; 

(ii) permitting the successor user to submit the first intermediate group-point (m(i+l)*G) 

5 to the issuing user (Useri); 

(iii) permitting the issuing user to calculate a successor user public value (U(i+i)) and a 
successor user intermediate private key (p(i+i)) ? wherein: 

a second random value (k(i-H)) is generated and a second intermediate group-point 
(k(i+i)*G) is calculated by exponentiating the generating group-point to the power of said second 

10 random value; 

the successor user public value (U(i+i)) is calculated by adding the first intermediate 
group-point and the second intermediate group-point (U(i+1)= m(i+i)*G + k(i+i)*G); 

a successor user representing value (H(ID(i+i),U(i+i))) is calculated in the way described; 

the successor user intermediate private key (p(i+i)) is calculated by multiplying the 
15 successor user representing value (H(ID(i+i),U(i+i))) by said second random value (k(i-H)) and 
adding the issuing user private key (xi) to the product obtained by the multiplication (p(i+i) = 
H(ID(i+i) ? U(B- i))*k(i+i) + xi) and reducing the result modulo the order of said generating group- 
point; and 

(iv) permitting the successor user to generate the successor user private key (x(i+i)) by 
20 calculating the successor user representing value (H(ID(i+i),U(i+i))) in the way described and 

multiplying said successor user representing value by the first random value (m(i+i)) and adding 
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the successor user intermediate private key (p(i+i)) to the product obtained by the multiplication 
(x(B-i) = H(ID(i+i),U(i+i))*m(i+i) + p(i+i)) and reducing the result modulo the order of the 

generating group-point. 

In another embodiment, the invention is directed to a certificate generation system for 

5 permitting a generating user who is a successor user (User(i+i)) according to the aforementioned 
method of the invention, to issue a certificate to a general user (User(i+2)) where the certificate 
attests to the association between the general user public key (Y(i+2)) and the general user 
identification details (ID(i+2)), where the general user public key was issued to the general user 
according to any known public key cryptographic method, the system comprising: 

1 0 means for permitting the generating user to generate a first random scalar (k(i+2)); 

means for permitting the generating user to calculate a first part of a certificate (T(i+2)) by 
exponentiating the generating group-point to the power of the first random scalar (T(i+2) = 
k(i+2)*G); 

means for permitting the generating user to calculate a general user representing value 
15 (H(ID(i+2),Y(i+2),T(i+2))) by operating with the converting mathematical operation on the general 
user identification details (ID(i+2)) and the general user public key (Y(i+2)) and the first part of a 
certificate (T(i+2)); 

means for permitting the generating user to calculate a second part of a certificate (s(i+2)) 
by multiplying said general user representing value by the first random scalar (k(i+2)) and adding 
20 the private key (x(i+i)) of the generating user to the product obtained by the multiplication (s(i+2) 
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= H(ID(i+2),Y(i+2),T(i+2))*k(i+2) + x(i+i)) and reducing the result modulo the order of the 

generating group-point; and 

means for permitting the generating user to submit the certificate to the general user, the 
certificate being comprised of the first part of a certificate (T(i+2)) and the second part of a 
5 certificate (s(i+2)). 

According to a preferred embodiment of the invention there is provided a chained 
certificate verification system for permitting a verifying user to verify the authenticity of the 
certificate (T(i+2) and s(i+2)) issued to the general user (User(i+2)), as defined above and elsewhere 
herein, the system comprising: 
10 means for providing the verifying user with the certificate and with the general user 

public key (Y(i+2)) and with the general user identification details (ID(i+2)) and with the Certifying 
Authority public value (Uo) and with a plurality of pairs of values (IDj and Uj) consisting of the 
identification details and public values of all users (Userj, j = 1, 2,..., i+1)) in the chained key- 
issuing process described above and elsewhere herein, starting with the first successor user 
15 (Useri) after the Certifying Authority and ending with the generating user (User(i+i)) as 
hereinbefore and hereafter defined; 

means for permitting the verifying user to verify the validity of the certificate, wherein: 
a first scalar (H(ID(i+2),Y(i+2),T(i+2))) is calculated by operating with the converting 
mathematical operation on the general user identification details (ID(i+2)) and the general user 
20 public key (Y(i+2)) and the first part of the certificate (T(i+2)); 

a first intermediate group-point (H(ID(i+2),Y(i+2),T(i+2))*T(i+2)) is calculated by 

exponentiating the first part of the certificate (T(i+2)) to the power of the first scalar; 
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users representing values (H(IDj,Uj), j = 1, 2,.. i+1) are calculated by operating with the 
converting mathematical operation on each pair of the plurality of pairs of values (IDj and Uj); 

users temporary group-points (H(IDj,Uj)*Uj, j = 1, 2,..., i+1) are calculated for each user 
in the chained key-issuing process, starting with the first successor user (Useri) and ending with 
5 the generating user (User(i+i)) ? by exponentiating each the user public value (Uj) to the power of 
the user representing value (H(IDj,Uj)); 

a second intermediate group-point (P) is calculated by adding all users temporary group- 
points (P = H(ID(i+i),U(i+i))*U(H-i) + H(IDi,Ui)*Ui + H(ID(i-i) ? U(i-i))*U(i-i) + ... + 

H(IDi,Ui)*Ui); 

10 a third intermediate group-point (Q) is calculated by adding the first intermediate group- 

point and the second intermediate group-point and the public value of said Certifying Authority 
(Q = H(ID(i+2) ? Y(i+2) ? T(i+2))*T(i+2) + P + Uo); 

a fourth intermediate group-point (s(i+2)*G) is calculated by exponentiating the generating 

group-point to the power of the first part (s(i+2)) of the certificate; 
15 the value of the fourth intermediate group-point (s(i+2)*G) is compared to that of the third 

intermediate group-point (Q) and the certificate is determined as being valid in the case of 
equality. 

In a further embodiment, the present invention is directed to a chained signature 
generation and verification system for permitting a successor user (User(i+l)) according to the 
20 method of the invention, to generate a signature and permitting a verifying party to verify the 
signature, the system comprising: 
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means for permitting the successor user (User(i+i)) to generate a signature on a message 
(m) wherein: 

a first scalar (k) is randomly generated; 

a first part of a signature (T) is generated by exponentiating the generating group-point to 
5 the power of said first scalar (T = k*G); 

a representing value (H(m,T)) is generated by operating with the converting mathematical 
operation on the message (m) and the first part of a signature (T); 

a second part of a signature (s) is calculated by multiplying the representing value 
(H(m,T)) by the first scalar (k) and adding the private key of the successor user (x(i+i)) to the 
10 product obtained by the multiplication (s = H(m,T)*k + x(i+i)) and reducing the result modulo the 

order of said generating group-point; 

means for permitting the successor user to submit the message (m) and the signature (T 

and s) to the verifying party, the signature comprising of the first part of a signature (T) and the 

second part of a signature (s); 
15 means for providing the verifying party with the Certifying Authority public value (Uo) 

and with a plurality of pairs of values (IDj and Uj) consisting of the identification details and 

public values (IDj and Uj) of all users (User) J = 1,2,..., i+1)) in the chained key-issuing process 

as hereinbefore and hereafter described, starting with the first successor user (Useri) after the 

Certifying Authority and ending with the successor user (User(i+i)); and 
20 means for permitting the verifying party to verify the validity of the signature (T and s) on 

said message (m), wherein: 
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the representing value (H(m,T)) is generated in the way described; 

a first intermediate group-point (H(m,T>T) is calculated by exponentiating the first part 

of the signature (T) to the power of the representing value; 

users representing values (H(IDj,Uj), j = 1, 2,..., i+1) are calculated by operating with the 
5 converting mathematical operation on each pair of the plurality of pairs of values (IDj and Uj); 

users temporary group-points (H(TDj,Uj)*Uj, j = 1, 2,..., i+1) are calculated for each user 
in the chained key-issuing process, starting with the first successor user (Usen) and ending with 
the successor user (User(i+i))> by exponentiating each the user public value (Uj) to the power of 
the user representing value (H(IDj,Uj)); 
10 a second intermediate group-point (P) is calculated by adding all the temporary group- 

points (P = H(ID(i+i),U(i+i))*U(i+i) + H(IDi,Ui)*Ui + H(ID(i-i),U(i-i))*U(i-i) + ... + 

H(IDi,Ui)*Ul); 

a third intermediate group-point (Q) is calculated by adding the first intermediate group- 
point and the second intermediate group-point and the public value of said Certifying Authority 
15 (Q = H(m,T)*T + P + Uo); 

a fourth intermediate group-point (s*G) is calculated by exponentiating the generating 

group-point to the power of the first part (s) of said signature; 

the value of the fourth intermediate group-point (s*G) is compared to that of the third 

intermediate group-point (Q) and the signature is determined as being valid in the case of 
20 equality. 
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DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS 

All the above and other characteristics and advantages of the invention, though clear to 
the skilled person from the disclosure provided herein, will be better understood through the 
following illustrative and non-limitative description of preferred embodiments thereof 
5 The implementations rely on a finite group of points over which the discrete logarithm 

problem applies. 

The following notations and terms are used throughout the description of the various 
embodiments of this invention: 

The term "group-point" refers to an element of a finite group of points in which the 
1 0 discrete logarithm problem applies. 

A group-point is denoted in bold. 

s*P is a group-point obtained by exponentiating the group-point P to the power s. 

A 'scalar' is a value which acts as an exponent. It is denoted by lower-case letters. 

The '+' notation in the expression s*P + t*Q means an addition of two group-points under 

15 the specific features of said finite group of points. 

G denotes a generating group-point, joint to all users of a given system. 
LogP is the scalar k such that P = k*G. Note that log(A+B) = LogA + LogB. 
Scalars are calculated modulo the order of G. 

Useri refers to the i-th user in a certification chain (in which the CA is Usero). 
20 xi - refers to the private key of Useri. 
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Ui - refers to the public value of Useri. Useri, except for Usero (which is the CA), does 
not know logUi. 

H(c,B,D), H(c,B), H(B) refers to a mathematical operation, known to the CA and to all 
users, that converts a scalar and two group-points, or a scalar and a group-point, or a group-point, 
5 into a scalar. For the case of operating over elliptic-curves, a preferred implementation of the 
operation H(B) is taking the value of the x-coordinate of the group-point B. 

A preferred first embodiment of this invention is directed to a chained key-issuing 
method wherein a user, termed Useri, provides personal keys to another user, termed User(i+1), 
and where the Certifying Authority, termed CA, acts as Usero. The personal keys, which consist 
10 of a private key x(i+i) and a public value U(i+i) and which are distinct for each user, are provided 
for the purpose of effecting public key cryptographic operations over a finite group of points in 
which the discrete logarithm problem applies. 

The identification details of said User(i+i) are termed ID(i+i). The private key of said Useri 
is a scalar xi. 

15 Useri performs the following operations: generate a random k(i+i); calculate U(i+l) = 

k(i+i)*G, for a generating group-point G, joint to all users; calculate x(i+i) = 
H(ID(i+l),U(i+i))*k(i+i) + xi; and where H(c,B) is a compressing mathematical operation, known to 
the CA and to all users, that converts the group-point B and a scalar c into a scalar. x(i+i), like 
other scalars calculated in the processes included in this invention, is calculated modulo the order 

20 of said generating group-point G, as will be clear to persons skilled in the art. 

1095753vl 



13 

Useri issues said values x(i+i) and U(i+i) to User(i+i). These two values serve, 
respectively, as the user's private value and the user ! s public value. In this case, the private key 
x(i+i) of User(i+i) is known to Useri. 

User(i+i) is also provided with the public value Uo of the CA and the identification details 
5 IDj and public values Uj, for j = 1, 2, i. That is, User(i+i) is provided with the identification 
details and public values of all users that preceded him in the certification chain. 

User(i+i) can establish the validity of values x(i+i) and U(i+i) issued by Useri by checking 
whether x(i+i)*G = H(ID(i+i),U(i+i))*U(i+i) + H(IDi,Ui)*Ui + H(ID(i-i),U(i-i))*U(i-i) + ... + 

H(IDi,Ui)*Ui +Uo. 

10 A preferred second embodiment of this invention is directed to a method, which is an 

alternative to the method according to first embodiment of this invention, by which Useri 
provides personal keys to User(i+i). 

According to the preferred second embodiment of this invention, and using the same 
notations used in the first embodiment, User(i+i) generates a random m(i+i) and submits m(i+i)*G 

15 to Useri. Useri performs the following operations: generate a random k(i+i); calculate k(i+i)*G 
and U(i+i) = m(i+i)*G + k(i+i)*G; and calculate p(i+i) = H(ID(i+i),U(i+i))*k(i+i) + xi. Useri issues 
said values p(i+i) and U(i+i) to User(i+1). User(i+i) generates his private key x(i+i) = p(i+i) + 
H(ID(i+i),U(i+i))*m(i+i). That is: x(i+i) - H(ID(i+i),U(i+i))*(k(i+i)+m(i+i)) + xi. User(i+1) can 
establish the validity of the values p(i+i) and U(i+i) issued to him by Useri checking whether 

20 p(i+i)*G = H(ED(i+i),U(i+i))*(k(i+i)*G) + H(IDi,Ui)*Ui + H(ID(i-i),U(i-i))*U(i-i) + ... + 
H(IDi,Ui)*Ui + Uo. (User(i+i) calculates k(i+i)*G by subtracting m(i+i)*G from U(i+1).) 
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The method according to the preferred second embodiment of this invention does not 
allow Useri to know the private key x(i+i) of User(i+i), unlike the method according to the 
preferred first embodiment of this invention. 

A preferred third embodiment of this invention is directed to a certificate generation 
5 system wherein User(i+1) according to the preferred first or second embodiments of this invention 
certifies the association between the public key Y(i+2) and the identification details ID(i+2) of a 
user termed User(i+2). Public key Y(i+2) can serve in any general public key cryptographic 
method, and it is not necessarily issued by said User(i+i) or effected by the certificate generation 
system. 

10 User(i+i) generates a random k(i+2) and the certificate, which consists of the pair of values 

{T(i+2),s(i+2)|, where T(i+2) = k(i+2)*G and s(i+2) = H(ID(i+2) ? Y(i+2) ? T(i+2))*k(i+2) + x(i+i). 

A preferred fourth embodiment of this invention is directed to a chained certificate 
verification system wherein a general user verifies the association between the public key Y(i+2) 
and the identification details ID(i+2) of the user User(i+2) defined in the preferred third 

1 5 embodiment of this invention. 

To effect the chained certificate verification, the general user is provided with values 
ID(i+i) and Y(i+i), the certificate, which consists of the pair of values {s(i+2),T(i+2)} 3 the public 
value Uo of the CA, and the reference information IDj and Uj, j = 1, 2,. i+1. The general user 
then checks whether s(i+2)*G = H(ID(i+2) ? Y(i+2) ? T(i+2))*T(i+2) + H(E)(i+i),U(i+i))*U(i+i) + 

20 H(IDi,Ui)*Ui + H(ID(i-i),U(i-i))*U(i-i) + . . . + H(IDi,Ui)*Ui + Uo. 
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A preferred fifth embodiment of this invention is directed to a chained signature 
generation and verification system wherein User(i+i) according to the preferred first or second 
embodiments of this invention signs a message m. User(i+i) signs the message m by generating 
the signature which consists of the pair of values {T,s}, where T = k*G for a random k, and s = 

5 H(m,T)*k + x(i+i). 

A general user, provided with signature {T,s}, effects a chained signature verification 
based on the public value Uo of the CA and the reference information IDj and Uj, j = 1, 2,. . ., i+1 . 
The general user checks whether s*G = H(m,T)*T + H(ID(i+i) ? U(i+i))*U(i+i) + H(IDi,Ui)*Ui + 

H(ID(i-i) ? U(i-i))*U(i-i) + ... + H(IDi,Ui)*Ui +Uo. 
10 A preferred sixth embodiment of this invention is directed to an alternative to any of the 

first through fifth preferred embodiments of this invention, in which the identification details of a 
user are not being used. 

According to the preferred sixth embodiment of this invention, any notation of the form 
H(IDi,Ui)*Ui or H(IDi,Yi,Ti), used in any of the first through fifth preferred embodiments of this 

1 5 invention, is respectively replaced by H(Ui)*Ui or H(Yi,Ti). 

All the above description of preferred embodiments has been provided for the purpose of 
illustration, and is not intended to limit the invention in any way. Many variations can be made in 
the various methods and systems of the invention, without exceeding its scope. 
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